A sophisticated Internet of Things (IoT) botnet, dubbed Kimwolf, has rapidly expanded its reach, compromising over two million devices and weaponizing them for massive distributed denial-of-service (DDoS) attacks and the relay of illicit internet traffic. Its alarming ability to scan local networks for additional vulnerable IoT devices presents a significant and insidious threat to organizations, with new research revealing its surprising prevalence within government and corporate networks.

The rapid proliferation of Kimwolf in late 2025 was facilitated by its exploitation of "residential proxy" services. These services, which allow users to anonymize and localize their web traffic by routing it through devices in specific geographic locations, were tricked into relaying malicious commands to devices on their internal networks. The malware responsible for transforming these devices into proxy nodes is often covertly bundled with seemingly innocuous mobile applications and games. Once installed, it compels the infected device to relay a variety of malicious and abusive internet activities, including ad fraud, account takeover attempts, and large-scale content scraping.

Kimwolf’s primary target for initial compromise was the Chinese residential proxy service IPIDEA, which boasts millions of available proxy endpoints weekly. Kimwolf operators discovered a critical vulnerability: they could forward malicious commands through IPIDEA’s proxy endpoints, enabling them to programmatically scan and infect other vulnerable devices within the local networks connected to these endpoints. The majority of devices compromised through this lateral movement technique were unofficial Android TV streaming boxes. These devices, often based on the Android Open Source Project rather than certified Android TV OS or Play Protect-enabled versions, are typically marketed as a one-time purchase solution for accessing pirated video content from subscription streaming services. A significant concern is that many of these TV boxes come with pre-installed residential proxy software and lack robust security or authentication mechanisms, making them easily exploitable if directly accessible.

While IPIDEA and other affected proxy providers have implemented measures to block Kimwolf’s upstream threats, with varying degrees of success, the malware persists on millions of compromised devices. Despite the initial association of Kimwolf with residential proxy networks and compromised Android TV boxes, which might suggest limited impact on corporate networks, recent research by the security firm Infoblox paints a starkly different picture. An analysis of Infoblox’s customer traffic revealed that nearly 25 percent of their clients made queries to Kimwolf-related domain names since October 1, 2025, the approximate date of the botnet’s emergence. These affected customers span the globe and encompass a diverse range of industries, including education, healthcare, government, and finance.

Infoblox clarified that these findings indicate that approximately a quarter of their customers had at least one device acting as an endpoint within a residential proxy service targeted by Kimwolf operators. Such a device, whether a smartphone or a laptop, was effectively co-opted by threat actors to probe the local network for vulnerable devices. A query signifies a scan attempt, not necessarily a successful compromise; lateral movement would be thwarted if no vulnerable devices were found or if DNS resolution was blocked.

Synthient, a startup specializing in tracking proxy services and credited with the initial disclosure of Kimwolf’s unique propagation methods on January 2, reported alarming numbers of IPIDEA proxy endpoints within government and academic institutions worldwide. Synthient identified at least 33,000 affected internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.

Further underscoring the pervasive nature of this threat, the proxy tracking service Spur, in a webinar on January 16, profiled internet addresses associated with IPIDEA and ten other proxy services potentially vulnerable to Kimwolf’s tactics. Spur discovered residential proxies within nearly 300 government-owned and operated networks, 318 utility companies, 166 healthcare organizations or hospitals, and 141 companies in the banking and finance sectors.

Riley Kilmer, Co-Founder of Spur, expressed significant concern over the presence of IPIDEA and similar proxy services within U.S. Department of Defense (DoD) networks. Kilmer highlighted the potential implications for network security, stating that while compromised devices might be segregated, their access could inadvertently grant malicious actors access to sensitive information. He emphasized that if a device is compromised and has access to a proxy, the proxy effectively gains access to what that device can access.

Kilmer further elaborated that Kimwolf exemplifies how a single residential proxy infection can escalate into major organizational problems, particularly for entities harboring unsecured devices behind their firewalls. Proxy services offer a seemingly straightforward avenue for attackers to probe other devices on an organization’s local network. By identifying a company with known proxy infections, attackers can leverage that network as an exit point and then pivot internally, establishing a foothold within the enterprise based solely on this initial compromise.

This exposé on the Kimwolf botnet is the third installment in a series. The next article will delve into the individuals and companies based in China connected to the Badbox 2.0 botnet, a collective designation for a vast array of Android TV streaming box models that are shipped with no discernible security or authentication and pre-installed with residential proxy malware.

Additional resources for further reading include:

• The Kimwolf Botnet is Stalking Your Local Network
• Who Benefitted from the Aisuru and Kimwolf Botnets?
• A Broken System Fueling Botnets (Synthient)